Decentralized Finance Protocol (DeFi) Conic Finance said on Friday that one of its omnipools was compromised by a vulnerability that allowed an attacker to take 1700 ethers (ETH), which is more than $3.6 million at current exchange rates.
The root cause of the attack, according to BlockSec, was price manipulation caused by a “read-only re-entry.” Re-entry is a common defect that allows attackers to trick a smart contract by repeatedly invoking the protocol to obtain money. A challenge is a request to interact with the user’s wallet address from the smart contract address.
We are currently investigating an exploit involving the ETH Omnipool and will share updates as soon as they are available.
— Conic Finance (@ConicFinance) July 21, 2023
Users can now deposit tokens into Conic Finance’s Omnipools, a new product that increases payouts while diversifying risk in the Curve ecosystem. Omnipools were launched on March 1. Shortly after the launch, the protocol raised millions of dollars in investment, which indicates a huge demand for such a product.
Each omnipool distributes the liquidity of a single asset across different Curve pools. To maximize the earning potential from Curve Rewards (CRV), all Curve Liquidity Provider (LP) tokens are staked on Convex. Both Conic (CNC), Conic’s own token, and Convex (CNX), another token in the Curve ecosystem, are rewarded.
Conic Finance engineers said they are still investigating the cause of the exploit and are communicating with the relevant parties.The programmers also said they have disabled the problematic pool that allegedly made the attack possible. “We have disabled ETH Omnipool deposits on the Conic front-end,” they said.